CatalystWIP
Donate
Legal

The fine print

Catalyst publishes information drawn from public SEC EDGAR filings, paired with AI-generated commentary. Nothing on this site is investment advice. Please read the documents below before relying on anything you see here.

Document 02 / 03

Privacy Policy

Last updated and effective: May 10, 2026

1. Who we are

Data controller

Catalyst (catalystview.xyz) is operated by an individual sole proprietor based in the Republic of Lithuania, who acts as the “controller” for the purposes of Regulation (EU) 2016/679 (the General Data Protection Regulation, or “GDPR”) and the Lithuanian Law on Legal Protection of Personal Data.

Data-protection contact: privacy@catalystview.xyz. Because we are a small operator, we have not appointed a Data Protection Officer; the operator handles all data-protection matters personally.

2. Scope

What this policy covers

This policy explains what personal data Catalyst collects, why we collect it, how we use and share it, and the rights you have. It applies to visitors to catalystview.xyz, registered account holders, free-tier users, paying subscribers, and email recipients.

Catalyst is a privacy-conscious product: we ask for the minimum amount of personal data needed to run the Service and we do not sell personal data to anyone.

3. What we collect

Categories of personal data

CategoryExamplesSource
Account dataEmail address, display name, profile image (if provided), Clerk user ID, hashed password or OAuth identifierYou / Clerk
Usage dataPages visited, signals viewed, watchlist items, interactions, device type, approximate location derived from IPAutomatic
Technical dataIP address, browser, OS, referrer, request timestamps, error logsAutomatic
CommunicationsEmails you send us; alerts and transactional emails we send you (and basic delivery metadata)You / Resend

We do not knowingly collect data from children under 18, special-category data (Article 9 GDPR), or criminal-conviction data.

4. How we use it

Purposes and legal bases

  • Provide the Service — create and authenticate your account, deliver signals, manage watchlists. Legal basis: performance of a contract, Art. 6(1)(b) GDPR.
  • Send transactional and alert emails — signal alerts you opted into, account notices, security messages. Legal basis: contract / legitimate interest, Art. 6(1)(b) and (f) GDPR.
  • Operate, secure, and improve the Service — debugging, abuse prevention, capacity planning, analytics in aggregate. Legal basis: legitimate interest, Art. 6(1)(f).
  • Comply with law — respond to lawful requests, defend legal claims. Legal basis: legal obligation / legitimate interest, Art. 6(1)(c) and (f).

We do not use your personal data to make automated decisions that produce legal or similarly significant effects (Art. 22 GDPR). The AI commentary you see is generated from public SEC filings, not from your personal data.

5. Cookies and similar tech

What we set

  • Strictly necessary cookies set by Clerk to keep you signed in.
  • Vercel Analytics — a privacy-friendly, cookieless analytics product from Vercel that records aggregate page-view counts. It does not use third-party cookies and does not build cross-site profiles.
  • Vercel Speed Insights — performance telemetry that records anonymous metrics about page load times.

Because we rely only on strictly-necessary cookies and a cookieless analytics tool, we do not display a cookie consent banner. If we ever introduce non-essential cookies or marketing trackers we will request your prior consent in line with the ePrivacy Directive.

6. Sub-processors

Who we share data with

We use a small number of carefully selected service providers (“processors”) who act only on our documented instructions:

ProcessorPurposeLocation / safeguard
Clerk, Inc.Authentication, session management, user profilesUSA — EU Standard Contractual Clauses (SCCs)
Vercel, Inc.Web hosting, edge delivery, anonymous analytics, performance monitoringUSA / EU edge — SCCs, EU-US Data Privacy Framework
Resend, Inc.Sending transactional and alert emailsUSA — SCCs
OpenRouterRouting AI prompts to large language models that summarise public filings; we do not send personal data in these promptsUSA — SCCs where applicable

We may also disclose data when required by law, in response to a valid request from a competent authority, or to defend our rights. We do not sell personal data and we do not engage in cross-context behavioural advertising.

7. International transfers

Data leaving the EEA

Several of our processors are located in the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and, where the recipient is certified, the EU-US Data Privacy Framework. You may request a copy of the relevant safeguard by emailing us.

8. Retention

How long we keep your data

  • Account data: for as long as your account exists, plus up to 30 days after deletion to allow restore.
  • Email logs: up to 12 months for deliverability and abuse-prevention.
  • Web logs & analytics: up to 12 months in identifiable form, longer in aggregated, non-identifiable form.
  • Billing records: at least 10 years where required by Lithuanian and EU accounting law.
  • Support emails: up to 24 months after the issue is resolved.
9. Your rights

What you can ask us to do

Under the GDPR and Lithuanian law you have the right to:

  • Access the personal data we hold about you (Art. 15);
  • Rectify inaccurate or incomplete data (Art. 16);
  • Erase your data (“right to be forgotten”, Art. 17);
  • Restrict certain processing (Art. 18);
  • Portability — receive a machine-readable copy and transmit it elsewhere (Art. 20);
  • Object to processing based on legitimate interests, including profiling (Art. 21);
  • Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.

To exercise any of these rights, email privacy@catalystview.xyz. We will respond within one month, and may extend by two months for complex requests. We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — VDAI), L. Sapiegos g. 17, LT-10312 Vilnius (vdai.lrv.lt), or with the supervisory authority of your EU country of residence.

10. Security

How we protect your data

We rely on industry-standard infrastructure: TLS in transit, encryption at rest with our hosting and authentication providers, hardened password storage handled by Clerk, principle-of-least-privilege access for the operator, and regular dependency updates. No system can be guaranteed perfectly secure; if we discover a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where the risk is high, notify affected users without undue delay (Art. 33 & 34 GDPR).

11. Children

Age requirement

The Service is not directed at children under 18. We do not knowingly collect data from children under that age. If you believe a child has provided personal data to Catalyst, contact us and we will delete it.

12. Changes

Updates to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the current version. Material changes will be communicated via the Service and, where appropriate, by email at least 14 days before they take effect.

13. Contact

Reach the controller

For privacy questions, GDPR requests, or anything else covered by this policy, write to privacy@catalystview.xyz.